Hybrid Adversarial Defence for Natural Language Understanding Tasks
This work addresses the need for unified defences against both hallucination and adversarial attacks in LLMs for NLU tasks, showing that combining multiple feature types outperforms single-feature approaches.
The paper proposes a hybrid adversarial defence framework combining entropy, uncertainty, and geometric features to improve both clean-task performance and adversarial robustness in NLU tasks. On in-domain datasets, it achieves up to 43.34% accuracy increase and 64.92% adversarial robustness improvement; on out-of-distribution datasets, up to 57.14% accuracy improvement; and on prompt injection/jailbreak detection, up to 51% reduction in attack success rate.
Large Language Models (LLMs) are vulnerable both to hallucination and adversarial manipulation. Although these problems are closely related, existing defences typically address them separately. We investigate a hybrid defence framework that combines entropy-based models, designed to reduce hallucinations, with uncertainty-based models and geometric-based models, designed to reduce vulnerability. Under in-domain tests on Natural Language Understanding datasets (FEVER, HotpotQA, CSQA, SIQA) we find our hybrid model improves both clean-task performance (up to 43.34\% increase in accuracy) and adversarial robustness (up to 64.92\% improvement in accuracy and 62.27\% reduction in attack success rate). For out-of-distribution datasets (AeroEngQA, CPIQA) we see similar adversarial robustness from our hybrid model (up to 57.14\% improvement in accuracy). For prompt injection (SafeGuard) and jailbreak detection (AdvBench, DAN) datasets our hybrid model is also very strong (up to 51\% reduction in attack success rate compared to state of the art baseline models). Overall, our results show that combining entropy, uncertainty and geometric features provides a more effective defence strategy than using any single feature alone for both in-domain and out-of-distribution tasks.